VSR Security Advisory
                       http://www.vsecurity.com/

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Advisory Name: HTC IQRD Android Permission Leakage
 Release Date: 2012-04-20
  Application: IQRD on HTC Android Phones
       Author: Dan Rosenberg <drosenberg (at) vsecurity.com>
Vendor Status: Patch Released
CVE Candidate: CVE-2012-2217
    Reference: http://www.vsecurity.com/resources/advisory/20120420-1/

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


Product Description
-------------------
The IQRD service is HTC's implementation of a Carrier IQ porting layer on
several HTC Android phones.  Carrier IQ is a data collection framework that may
be deeply integrated into the Android application stack in order to provide
cell carriers with detailed metrics data on device and network activity [1].
To complete the integration of Carrier IQ on a specific device, phone
manufacturers provide a "porting layer" that allows the Carrier IQ service to
perform specific actions that may vary by device.


Vulnerability Details
---------------------
On December 22th, VSR identified a vulnerability in IQRD.  The IQRD service
listens locally on a TCP socket bound to port 2479.  This socket is intended to
allow the Carrier IQ service to request device-specific functionality from
IQRD.  Unfortunately, there is no restriction or validation on which
applications may request services using this socket.  As a result, any
application with the android.permission.INTERNET permission may connect to this
socket and send specially crafted messages in order to perform potentially
malicious actions.

In particular, it is possible for malicious applications to:

    1. Trigger UI popup messages

    2. Generate tones

    3. Send arbitrary outbound SMS messages that do not appear in a user's
       outbox, facilitating toll fraud

    4. Retrieve a user's Network Access Identifier (NAI) and corresponding
       password, potentially allowing rogue devices to impersonate the user
       on a CDMA network


Versions Affected
-----------------
The issue is confirmed to affect the HTC EVO 4G, HTC EVO Design 4G, EVO Shift
4G, HTC EVO 3D, HTC EVO View 4G, and HTC Hero on Sprint; and the HTC Vivid on
AT&T.


Vendor Response
---------------
The following timeline details HTC's response to the reported issue:

2011-12-22    Vulnerability reported to HTC
2011-12-28    HTC confirms receipt, replies that fix is planned for early 2012
2012-03-10    VSR requests status update
2012-03-16    HTC confirms fix has been published
2012-03-26    HTC requests clarification on finding
2012-03-26    VSR provides clarification on finding, requests confirmation on
              status of fix
2012-04-02    HTC provides confirmation of fix, requests further clarification
2012-04-02    VSR provides clarification on finding
2012-04-12    VSR provides draft advisory to HTC
2012-04-13    HTC provides corrections to advisory, requests disclosure date
2012-04-20    Coordinated disclosure


Recommendation
--------------

HTC has issued a fix that will typically be provided as an OTA update by
affected cell carriers.  If the update has not automatically been installed, it
is possible to retrieve the update manually by navigating to Menu -> Settings
-> System Updates -> HTC Software Update -> Check Now.

The following software versions on Sprint are confirmed to resolve this issue:

HTC EVO 4G:             4.67.651.3
HTC EVO Design 4G:      2.12.651.5
HTC EVO Shift 4G:       2.77.651.3
HTC EVO 3D:             2.17.651.5
HTC EVO View 4G:        2.23.651.1

The following software versions on AT&T are confirmed to resolve this issue:

HTC Vivid:              3.26.502.56


All affected devices except the HTC Hero have received an over-the-air update.
HTC and Sprint have declined to update the HTC Hero, citing its 2009 release,
minimal current usage, and lack of malicious applications in the Android
Marketplace exploiting this vulnerability.

Users should be aware that devices that no longer receive updates due to
switching carriers may remain vulnerable.


Common Vulnerabilities and Exposures (CVE) Information
------------------------------------------------------
The Common Vulnerabilities and Exposures (CVE) project has assigned the number
CVE-2012-2217 to this issue.  This is a candidate for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security problems.


Acknowledgements
----------------
Thanks to HTC for their response and fix.


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

References:

1. Carrier IQ
   http://www.carrieriq.com


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

This advisory is distributed for educational purposes only with the sincere
hope that it will help promote public safety.  This advisory comes with
absolutely NO WARRANTY; not even the implied warranty of merchantability or
fitness for a particular purpose.  Neither Virtual Security Research, LLC nor
the author accepts any liability for any direct, indirect, or consequential
loss or damage arising from use of, or reliance on, this information.

See the VSR disclosure policy for more information on our responsible disclosure
practices:
  http://www.vsecurity.com/company/disclosure

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
     Copyright 2012 Virtual Security Research, LLC.  All rights reserved.